hubot-zulip doesn't work with self signed SSL certs
sabotrax opened this issue · 11 comments
I ran
HUBOT_ZULIP_SITE=https://zulip.example.com HUBOT_ZULIP_BOT=hubot-bot@example.com HUBOT_ZULIP_API_KEY=your_key bin/hubot -a zulip
with values corrected for my local installation and got:
Zulip API Error: unable to verify the first certificate
[Fri Oct 16 2015 14:19:28 GMT+0200 (CEST)] ERROR Error: unable to verify the first certificate
at Error (native)
at TLSSocket. (_tls_wrap.js:929:36)
at TLSSocket.emit (events.js:104:17)
at TLSSocket._finishInit (_tls_wrap.js:460:8)
I think probably the right solution to this problem is to just provide a documented path for passing into the integration the path to an SSL certificate it can use to verify communication with the server.
Having the same issue here, however the certificate is valid from where I'm connecting from (cURL works, btw):
Zulip API Error: SSL Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE
Any pointers?
I've tried to disable strict-ssl, rejectUnauthorized on Requests lib used by Zulip as well as disabling Node TLS check and it still provides me the same error message.
Other alternatives in case it works for anyone else: request/request#418
Im getting something similar with the error ...
Error: DEPTH_ZERO_SELF_SIGNED_CERT
at SecurePair.<anonymous> (tls.js:1370:32)
at SecurePair.EventEmitter.emit (events.js:92:17)
at SecurePair.maybeInitFinished (tls.js:982:10)
at CleartextStream.read [as _read] (tls.js:469:13)
at CleartextStream.Readable.read (_stream_readable.js:320:10)
at EncryptedStream.write [as _write] (tls.js:366:25)
at doWrite (_stream_writable.js:223:10)
at writeOrBuffer (_stream_writable.js:213:5)
at EncryptedStream.Writable.write (_stream_writable.js:180:11)
at write (_stream_readable.js:583:24)
I did try a couple of the workarounds suggested in request/request#418, but to no avail.
I'm getting something a little different:
zulip@zulip:~/r2z2$ HUBOT_ZULIP_SITE=https://zulip.example.com HUBOT_ZULIP_BOT=zulip-bot@example.com HUBOT_ZULIP_API_KEY=key bin/hubot -a zulip
Zulip API Error: self signed certificate in certificate chain
[Tue Oct 27 2015 15:11:47 GMT-0500 (CDT)] ERROR Error: self signed certificate in certificate chain
at Error (native)
at TLSSocket. (_tls_wrap.js:1000:38)
at emitNone (events.js:67:13)
at TLSSocket.emit (events.js:166:7)
at TLSSocket._finishInit (_tls_wrap.js:567:8)
Is there a way to provide a path to the SSL cert?
the Hubot integration uses zulip-node, not the Python API: https://github.com/zulip/zulip-node
The Python API has an open PR to add support for specifying a certificate, but the Node API bindings do not. If someone wants to address this, I'd recommend working on the problem in zulip-node. I don't think there's a way to provide a path to the SSL cert right now but surely there's an easy way to pass a cert path into the Node HTTPS libraries (if fixing this requires switching to a different library, that's totally fine)...
I believe I have a work around for this. It's not pretty, but it seems to be working.
The Zulip installation I'm working with has an SSL certificate that is signed, but doesn't return a full certificate chain back to the root, so request validation for HTTPS was failing. When I ran hubot with the zulip adapter, right away I started getting the initial "unable to verify the first certificate" errors.
After a little research, I found the NODE_TLS_REJECT_UNAUTHORIZED=0 setting and started using it. Then my error changed slightly to the one mentioned above: "Zulip API Error: SSL Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE"
Digging into the source a little (/[your_bot_root/node_modules/request/request.js, around line 639), there is a check to validate the secure connection:
// XXX This is different on 0.10, because SSL is strict by default
if (self.httpModule === https &&
self.strictSSL &&
!response.client.authorized) {
debug('strict ssl error', self.uri.href)
var sslErr = response.client.authorizationError
self.emit('error', new Error('SSL Error: '+ sslErr))
return
}
Setting "self.strictSSL = true" just before this code (or, presumably, removing the self.strictSSL check in the IF statement) disrupts the error and allows the connection to continue. Ta-daa: a working, connecting hubot.
Is there a way to feed this setting into hubot-zulip as a config variable and have it persist to node.js?
I am running into the same issue richardwlu is running into. Has this been resolved or is there a good work around for it? I tried the work around mentioned by the previous post to no avail. Th ks!
The easiest solution is to just get a free real SSL cert from LetsEncrypt.
That's the thing, I am no longer using a self-signed certificate. I replaced it in the nginx config, is there somewhere else that needs to be updated to recognize that I am no longer using a self-signed certificate? I apologize if this is documented somewhere, I haven't been able to find anything related to it other than this issue. Thanks!
Sent from my BlackBerry 10 smartphone on the TELUS network.
From: Tim Abbott
Sent: Tuesday, May 3, 2016 9:32 PM
To: zulip/hubot-zulip
Reply To: zulip/hubot-zulip
Cc: Robitaille, Cameron; Comment
Subject: Re: [zulip/hubot-zulip] hubot-zulip doesn't work with self signed SSL certs (#6)
The easiest solution is to get get a free real SSL cert from LetsEncrypt.
—
You are receiving this because you commented.
Reply to this email directly or view it on GitHubhttps://github.com//issues/6#issuecomment-216716995
I followed the steps in the answer on this link and it resolved my certificate issues.
http://stackoverflow.com/questions/32248166/socket-io-unable-to-verify-the-first-certificate
Thanks!
We ran into this issue and solved it by setting the NODE_EXTRA_CA_CERTS=/path/to/cert.pem environment variable before starting hubot. It seems that this mechanism didn't exist in nodejs when the issue was initially raised.
More info at https://stackoverflow.com/questions/29283040/how-to-add-custom-certificate-authority-ca-to-nodejs